6 Best Practices for Secure Health Information

Holistic, comprehensive security strategies, centered on protecting data, not devices, are easier than ever thanks to current encryption technology. According to a recent Ponemon Institute study, over the last five years healthcare organizations have slowly increased their investment in data security along with new technologies to better protect Protected Health Information (PHI).

Pre-emptive data encryption is one such way to protect against data loss, but it’s a single – though important – piece of the security puzzle. To best protect PHI and prevent the potentially devastating consequences of a HITECH enforcement violation, security insiders recommend taking a holistic approach to security.

The following 6 best practices from data security experts are proven to help organizations take the strongest possible measures to safeguard PHI.

1. Make security a business goal

Shift the paradigm from short-term cost-benefit analysis and more typical reactive approaches by reframing the conversation around data security as a business imperative. The need to protect PHI can and does impact revenue, so ensure your organization gives due investment to the human and technological resources necessary to create a greater data security fortress.

2. Communicate the imperative

In order for security guidelines to be widely adopted across organizations, all employees, contractors and subcontractors must be brought up to speed with proper training and ongoing reminders. If guidelines are to be optimally adopted, it’s also worth considering introducing clearly defined consequences for different types of infractions.

3. Address the BYOD risk

BYOD – Bring Your Own Device – policies are on the rise, due to greater cost effectiveness and flexibility. But they can leave organizations vulnerable. Define a BYOD privacy policy, which address the risks for BYOD usage and procedures to be followed. Once a policy is in place, it is important to reinforce employee adoption through ongoing education on avoiding risky behaviors, and to ensure that all business associates and their subcontractors understand the requirements.

While it may not seem as easy to control the flow of data on employees’ own devices, the risk can often be mitigated with a good encryption solution, which can provide both full and partial disk encryption. Sufficient controlled access can also facilitate fluidity for practitioners working via mobile devices, allowing them to access data but not download it off the system.

4. Don’t forget about business associates

Employees aren’t the only ones who must apply by HIPAA standards – the rules apply to business associates and their subcontractors too. But a substantial percentage of contractors are not aware of their obligations. Make sure that your efforts are extended to all parties who handle your organization’s PHI, including external vendors. Keeping an agreement on file for them to sign can help promote better enforcement.

5. Consider a re-org

If your organization hasn’t already done so, consider having the IT privacy and security chief report directly to the board of directors. Routine briefings to the board or CEO on critical current data security issues can help key executives stay abreast of these issues and support a more informed and relevant data security strategy.

6. Don’t just forget about it

A holistic approach to data security means more than introducing a framework of guidelines and moving on. Like many organizations, technology and risks are ever-evolving, and as such, security measures require ongoing review and evaluation to ensure they continue to be up to the task. Make privacy and security risk assessment an annual (or periodic) occurrence, to better gauge ongoing performance and consider how to address new risks.

Synchronizing these many interdependent institutions may seem to be an impossible feat, but effective data security means shifting objectives beyond mere data security compliance and towards the best long-term data security strategy. Comprehensive strategies, centered on protecting data, not devices, are easier than ever thanks to current data encryption technology.

Or

Leave a Comment

comments

Tagged Under:

As Director of Brand and Digital Marketing, Allison Cutler leads the global strategy for WinMagic in relation to Brand Identity, Public Relations, Corporate Communications, Social Media, and Digital Marketing (Content, Search, Website, and Emerging Media). A digital native, Allison’s key areas of interest include: Online Anthropology, Social Commerce, the Internet of Things, Network Thinking, Immersive and Future Technologies. She is also an active member in the arts community and has volunteered with various associations in that regard. Allison Cutler

The Site is open to the public. Therefore, consider your comments carefully and do not include anything in a comment that you would like to keep private. By uploading or otherwise making available any information to WinMagic in the form of user generated comments or otherwise, you grant Winmagic the unlimited, perpetual right to distribute, display, publish, reproduce, reuse and copy the information contained therein.

You are responsible for the content you post. You may not impersonate any other person through the blog. You may not post content that is obscene, defamatory, threatening, fraudulent, invasive of another person’s privacy rights, or is otherwise unlawful. You may not post content that infringes the intellectual property rights of any other person or entity. You may not post any content that contains any computer viruses or any other code designed to disrupt, damage, or limit the functioning of any computer software or hardware.

By submitting or posting content on the blog, you grant WinMagic and any company substantially under its control, the right to remove any content or comment that, in WinMagic’s sole judgment, does not comply with the posting guideline, the terms of this website or is otherwise objectionable. You also grant WinMagic and any company substantially under its control the right to modify, adapt, and edit any content.

Your use of this blog is subject to the terms of use of the website on which this blog is hosted blog.winmagic.com. Because WinMagic values your thoughtful opinions, we encourage you to add a comment to this discussion. However, please don’t be offended if we edit your comments for clarity or to keep out questionable matters, and we may even delete off-topic comments. Any opinions expressed within the blog are those of the author and not necessarily held by WinMagic itself. The information on this blog may be changed without notice and is not guaranteed to be complete, correct, timely, current or up-to-date. Similar to any printed materials, the information on this blog may become out-of-date. Winmagic undertakes no obligation to update any information on the blog; provided, however, that WinMagic may update the information on this blog at any time without notice in WinMagic’s sole and absolute discretion.